On 15/05/2017 00:08, Mirimir wrote:
| WanaCrypt0r will then download a TOR client from | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip | and extract it into the TaskData folder. This TOR client is used to | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-te...
Was the increased number of downloads from the malware visibile from the logs?
I mean, if you are able to detect such an event and be reasonably sure that the downloads do not come from humans you could stop them. If the URL is hardcoded you could, say, move the file and it would not affect users.
(this is of course assuming that blocking the possibility of contacting the said onion services would be of any help in blocking the malware)
Cristian